Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve tracking of connectionless UDP syscalls #1741

Merged
merged 7 commits into from
Sep 30, 2024
Merged

Improve tracking of connectionless UDP syscalls #1741

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9143fc5
Start tracking recvmmsg and sendmmsg in order to fully support OCP Virt
Molter73 Jul 12, 2024
7479428
Add integration tests for newly tracked send/recv syscalls
Molter73 Sep 6, 2024
2c75cce
Cleanup udp_networkflow.go and bump Falco version
Molter73 Sep 25, 2024
880d840
Bump falco version
Molter73 Sep 25, 2024
b79e261
Only load interesting syscalls (#1855)
Molter73 Sep 27, 2024
d708f05
Minor cleanup
Molter73 Sep 27, 2024
73c2adf
Bump falco version
Molter73 Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .editorconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ trim_trailing_whitespace = true
indent_style = space
indent_size = 2

[integration-tests/**.c]
indent_style = space
indent_size = 2

[*.sh]
indent_style = space
indent_size = 4
Expand Down
14 changes: 12 additions & 2 deletions collector/lib/CollectorConfig.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ BoolEnvVar use_podman_ce("ROX_COLLECTOR_CE_USE_PODMAN", false);

BoolEnvVar enable_introspection("ROX_COLLECTOR_INTROSPECTION_ENABLE", false);

BoolEnvVar track_send_recv("ROX_COLLECTOR_TRACK_SEND_RECV", false);

// Collector arguments alternatives
StringEnvVar log_level("ROX_COLLECTOR_LOG_LEVEL");
IntEnvVar scrape_interval("ROX_COLLECTOR_SCRAPE_INTERVAL");
Expand Down Expand Up @@ -103,9 +105,16 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) {
use_docker_ce_ = use_docker_ce.value();
use_podman_ce_ = use_podman_ce.value();
enable_introspection_ = enable_introspection.value();
track_send_recv_ = track_send_recv.value();

for (const auto& syscall : kSyscalls) {
syscalls_.push_back(syscall);
syscalls_.emplace_back(syscall);
}

if (track_send_recv_) {
for (const auto& syscall : kSendRecvSyscalls) {
syscalls_.emplace_back(syscall);
}
}

// Get hostname
Expand Down Expand Up @@ -454,7 +463,8 @@ std::ostream& operator<<(std::ostream& os, const CollectorConfig& c) {
<< ", set_import_users:" << c.ImportUsers()
<< ", collect_connection_status:" << c.CollectConnectionStatus()
<< ", enable_detailed_metrics:" << c.EnableDetailedMetrics()
<< ", enable_external_ips:" << c.EnableExternalIPs();
<< ", enable_external_ips:" << c.EnableExternalIPs()
<< ", track_send_recv:" << c.TrackingSendRecv();
}

// Returns size of ring buffers to be allocated.
Expand Down
10 changes: 10 additions & 0 deletions collector/lib/CollectorConfig.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,14 @@ class CollectorConfig {
#endif
"vfork",
};
static constexpr const char* kSendRecvSyscalls[] = {
"sendto",
"sendmsg",
"sendmmsg",
"recvfrom",
"recvmsg",
"recvmmsg",
};
static const UnorderedSet<L4ProtoPortPair> kIgnoredL4ProtoPortPairs;
static constexpr bool kEnableProcessesListeningOnPorts = true;

Expand Down Expand Up @@ -82,6 +90,7 @@ class CollectorConfig {
bool UseDockerCe() const { return use_docker_ce_; }
bool UsePodmanCe() const { return use_podman_ce_; }
bool IsIntrospectionEnabled() const { return enable_introspection_; }
bool TrackingSendRecv() const { return track_send_recv_; }
const std::vector<double>& GetConnectionStatsQuantiles() const { return connection_stats_quantiles_; }
double GetConnectionStatsError() const { return connection_stats_error_; }
unsigned int GetConnectionStatsWindow() const { return connection_stats_window_; }
Expand Down Expand Up @@ -122,6 +131,7 @@ class CollectorConfig {
bool use_docker_ce_;
bool use_podman_ce_;
bool enable_introspection_;
bool track_send_recv_;
std::vector<double> connection_stats_quantiles_;
double connection_stats_error_;
unsigned int connection_stats_window_;
Expand Down
35 changes: 34 additions & 1 deletion collector/lib/NetworkSignalHandler.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,25 @@ EventMap<Modifier> modifiers = {
{"connect<", Modifier::ADD},
{"accept<", Modifier::ADD},
{"getsockopt<", Modifier::ADD},
{"sendto<", Modifier::ADD},
{"sendto>", Modifier::ADD},
{"sendmsg<", Modifier::ADD},
{"sendmsg>", Modifier::ADD},
{"sendmmsg<", Modifier::ADD},
{"recvfrom<", Modifier::ADD},
{"recvfrom>", Modifier::ADD},
{"recvmsg<", Modifier::ADD},
{"recvmsg>", Modifier::ADD},
{"recvmmsg<", Modifier::ADD},
{"recvmmsg>", Modifier::ADD},
},
Modifier::INVALID,
};

} // namespace

NetworkSignalHandler::NetworkSignalHandler(sinsp* inspector, std::shared_ptr<ConnectionTracker> conn_tracker, system_inspector::Stats* stats)
: event_extractor_(std::make_unique<system_inspector::EventExtractor>()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true) {
: event_extractor_(std::make_unique<system_inspector::EventExtractor>()), conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true), track_send_recv_(false) {
event_extractor_->Init(inspector);
}

Expand Down Expand Up @@ -141,6 +152,28 @@ SignalHandler::Result NetworkSignalHandler::HandleSignal(sinsp_evt* evt) {
}

std::vector<std::string> NetworkSignalHandler::GetRelevantEvents() {
if (track_send_recv_) {
return {
"close<",
"shutdown<",
"connect<",
"accept<",
"getsockopt<",
"sendto<",
"sendto>",
"sendmsg<",
"sendmsg>",
"sendmmsg<",
"recvfrom<",
"recvfrom>",
"recvmsg<",
"recvmsg>",
"recvmmsg<",
"recvmmsg>",
"recvmsg<",
"recvmsg>",
};
}
return {"close<", "shutdown<", "connect<", "accept<", "getsockopt<"};
}

Expand Down
2 changes: 2 additions & 0 deletions collector/lib/NetworkSignalHandler.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ class NetworkSignalHandler final : public SignalHandler {
bool Stop() override;

void SetCollectConnectionStatus(bool collect_connection_status) { collect_connection_status_ = collect_connection_status; }
void SetTrackSendRecv(bool track_send_recv) { track_send_recv_ = track_send_recv; }

private:
std::optional<Connection> GetConnection(sinsp_evt* evt);
Expand All @@ -38,6 +39,7 @@ class NetworkSignalHandler final : public SignalHandler {
system_inspector::Stats* stats_;

bool collect_connection_status_;
bool track_send_recv_;
};

} // namespace collector
Expand Down
1 change: 1 addition & 0 deletions collector/lib/system-inspector/Service.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ void Service::Init(const CollectorConfig& config, std::shared_ptr<ConnectionTrac
auto network_signal_handler_ = MakeUnique<NetworkSignalHandler>(inspector_.get(), conn_tracker, &userspace_stats_);

network_signal_handler_->SetCollectConnectionStatus(config.CollectConnectionStatus());
network_signal_handler_->SetTrackSendRecv(config.TrackingSendRecv());

AddSignalHandler(std::move(network_signal_handler_));
}
Expand Down
2 changes: 1 addition & 1 deletion falcosecurity-libs
Open in desktop
Submodule falcosecurity-libs updated 20 files
+4 −4 driver/event_table.c
+3 −3 driver/fillers_table.c
+32 −1 driver/modern_bpf/definitions/aarch64/vmlinux.h
+4 −6 driver/modern_bpf/definitions/events_dimensions.h
+32 −1 driver/modern_bpf/definitions/x86_64/vmlinux.h
+54 −19 driver/modern_bpf/helpers/store/auxmap_store_params.h
+121 −10 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/recvmmsg.bpf.c
+117 −12 driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendmmsg.bpf.c
+3 −0 driver/ppm_fillers.h
+31 −2 userspace/libpman/include/libpman.h
+26 −5 userspace/libpman/src/configuration.c
+7 −0 userspace/libpman/src/lifecycle.c
+6 −3 userspace/libpman/src/maps.c
+29 −0 userspace/libpman/src/programs.c
+5 −1 userspace/libpman/src/state.h
+3 −2 userspace/libscap/engine/modern_bpf/scap_modern_bpf.c
+1 −1 userspace/libsinsp/container.cpp
+1 −1 userspace/libsinsp/examples/CMakeLists.txt
+30 −5 userspace/libsinsp/parsers.cpp
+1 −1 userspace/libsinsp/sinsp.cpp
2 changes: 1 addition & 1 deletion integration-tests/container/QA_TAG
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.2.1
2.0.0
17 changes: 17 additions & 0 deletions integration-tests/container/udp/Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM fedora:40 AS builder

WORKDIR /tmp
COPY udp-server.c .
COPY udp-client.c .

RUN dnf install -y gcc && \
gcc udp-server.c -Wall -Wpedantic -Werror -o udp-server && \
gcc udp-client.c -Wall -Wpedantic -Werror -o udp-client

FROM fedora:40

COPY --from=builder /tmp/udp-server /usr/local/bin
COPY --from=builder /tmp/udp-client /usr/local/bin
EXPOSE 9090

ENTRYPOINT ["udp-server"]
25 changes: 25 additions & 0 deletions integration-tests/container/udp/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
BASE_PATH = .
include ../Makefile-constants.mk

.DEFAULT_GOAL = all

COLLECTOR_QA_UDP_TAG := udp

ifneq ($(COLLECTOR_QA_TAG),)
COLLECTOR_QA_UDP_TAG=udp-$(COLLECTOR_QA_TAG)
endif

.PHONY: all
all: build

.PHONY: build
build:
@docker buildx build --load --platform ${PLATFORM} \
-t quay.io/rhacs-eng/qa-multi-arch:$(COLLECTOR_QA_UDP_TAG) \
-f Containerfile .

.PHONY: build-and-push
build-and-push:
@docker buildx build --push --platform ${PLATFORM} \
-t quay.io/rhacs-eng/qa-multi-arch:$(COLLECTOR_QA_UDP_TAG) \
-f Containerfile .
Loading
Loading